Configuring MPLS VPNs

A Virtual Private Network (VPN) is an IP-based network that delivers private network services over a public infrastructure. VPNs allow you to create a set of sites that can communicate privately over the Internet or other public or private networks.

Understanding MPLS VPNs

A conventional VPN consists of a full mesh of tunnels or permanent virtual circuits (PVCs) connecting all of the sites within the VPN. This type of VPN requires changes to each edge device in the VPN in order to add a new site. MPLS VPNs, also known as Layer 3 VPNs, are easier to manage and expand than conventional VPNs because they use layer 3 communication protocols and are based on a peer model. The peer model enables the service provider and customer to exchange Layer 3 routing information, enabling service providers to relay data between customer sites without customer involvement. The peer model also provides improved security of data transmission between VPN sites because data is isolated between improves security between VPN sites.

The Cisco ASR 901 supports the following MPLS VPN types:

  • Basic Layer 3 VPN—Provides a VPN private tunnel connection between customer edge (CE) devices in the service provider network. The provider edge (PE) router uses Multiprotocol Border Gateway Protocol (MP-BGP) to distribute VPN routes and MPLS Label Distribution Protocol (LDP) to distribute Interior Gateway Protocol (IGP) labels to the next-hop PE router.
  • Multi-VRF CE—Multi-VRF CE extends limited PE functionality to a CE router in an MPLS-VPN model. A CE router now has the ability to maintain separate VRF tables in order to extend the privacy and security of an MPLS-VPN down to a branch office rather than just at the PE router node.

Note
Cisco ASR 901 does not support VRF on TDM interfaces.

Configuring MPLS VPNs

Layer 3 VPNs allow you to establish VPNs in a routed environment, improving the flexibility and ease of maintenance of VPNs. For instructions on how to configure layer 3 VPNs, see the MPLS Configuration Guide, Cisco IOS Release 15.1S .

The following restrictions apply to MPLS VPNs:

  • When the port channel is on core, bridge ID must be equal to the encapsulation ID.

  • Equal Cost Multipath (ECMP) is not supported for swap cases.

  • ECMP is not supported for MPLS-labeled prefixes due to hardware limitation and only one MPLS path can be configured at a time.

Configuration Examples for MPLS VPN

This section contains the following sample configurations involving three routers:

PE1 Configuration 


Current configuration : 3326 bytes
!
! Last configuration change at 20:37:37 UTC Thu Sep 29 2011
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Router
!
boot-start-marker
boot-end-marker
! 
!
!card type command needed for slot/vwic-slot 0/0
no logging console
!
no aaa new-model
ip source-route
ip cef
!
ip vrf customer_2
rd 1:2
route-target export 1:2
route-target import 1:2
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback2
no ip address
!
interface Loopback100
ip address 111.0.0.1 255.255.255.255
!
interface GigabitEthernet0/0
no negotiation auto
!
interface GigabitEthernet0/1
no negotiation auto
!
interface GigabitEthernet0/2
no negotiation auto
!
interface GigabitEthernet0/3
no negotiation auto
!
interface GigabitEthernet0/4
no negotiation auto
!
interface GigabitEthernet0/5
media-type sfp
no negotiation auto
cdp enable
service instance 2 ethernet
 encapsulation dot1q 2
 rewrite ingress tag pop 1 symmetric
 bridge-domain 2
!
!
interface GigabitEthernet0/6
no negotiation auto
service instance 10 ethernet
 encapsulation dot1q 20
 bridge-domain 120
!
!
interface GigabitEthernet0/7
load-interval 30
media-type sfp
no negotiation auto
cdp enable
service instance 300 ethernet
 encapsulation dot1q 300
 rewrite ingress tag pop 1 symmetric
 bridge-domain 300
!
!
interface GigabitEthernet0/8
no negotiation auto
!
interface GigabitEthernet0/9
load-interval 30
no negotiation auto
service instance 10 ethernet
 encapsulation dot1q 301
 rewrite ingress tag pop 1 symmetric
 bridge-domain 301
!
!
interface GigabitEthernet0/10
no negotiation auto
ethernet dot1ad nni
service instance 1 ethernet
 encapsulation dot1ad 30
 rewrite ingress tag pop 1 symmetric
!
!
interface GigabitEthernet0/11
no negotiation auto
!
interface ToP0/12
no negotiation auto
!
interface FastEthernet0/0
no ip address
full-duplex
!
interface Vlan1
!
interface Vlan2
ip vrf forwarding customer_2
ip address 2.2.1.1 255.255.255.0
!
interface Vlan300
ip address 1.0.0.1 255.255.255.0
mpls ip
!
interface Vlan301
ip address 11.0.0.1 255.255.255.0
mpls ip
!
router ospf 22
router-id 1.0.0.1
redistribute connected subnets
network 1.0.0.0 0.0.0.255 area 23
network 11.0.0.0 0.0.0.255 area 23
!
router bgp 1
bgp log-neighbor-changes
neighbor 111.0.1.1 remote-as 1
neighbor 111.0.1.1 update-source Loopback100
!
address-family ipv4
 redistribute connected
 neighbor 111.0.1.1 activate
 neighbor 111.0.1.1 send-community both
exit-address-family
!
address-family vpnv4
 neighbor 111.0.1.1 activate
 neighbor 111.0.1.1 send-community both
exit-address-family
!
address-family ipv4 vrf cust
 redistribute static
 aggregate-address 190.0.0.0 255.0.0.0 summary-only
 redistribute connected
 neighbor 2.2.1.2 remote-as 100
 neighbor 2.2.1.2 activate
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
!
logging esm config
cdp run
!
mpls ldp router-id Loopback100 force
!
!
control-plane
!
!
line con 0
line con 1
transport preferred lat pad telnet rlogin udptn mop ssh
transport output lat pad telnet rlogin udptn mop ssh
line vty 0 4
login
!
exception data-corruption buffer truncate
exception crashinfo buffersize 128
!
end

Provider Configuration 


Router_1#show running-config interface gigabitEthernet 4/15
Building configuration...
Current configuration : 80 bytes
!
interface GigabitEthernet4/15
 ip address 9.0.0.1 255.255.255.0
 mpls ip
end
Router_1#show running-config interface gigabitEthernet 4/16
Building configuration...
Current configuration : 91 bytes
!
interface GigabitEthernet4/16
 ip address 1.0.0.2 255.255.255.0
 mpls ip
end
Router_1#       
mpls ldp router-id Loopback2 force
Router_1#show running-config partition router bgp 1
Building configuration...
Current configuration : 664 bytes
!
Configuration of Partition - router bgp 1
!
!
!
router bgp 1
 bgp log-neighbor-changes
 neighbor 100.0.0.1 remote-as 1
 neighbor 100.0.0.1 update-source Loopback2
 neighbor 100.0.1.1 remote-as 1
 neighbor 100.0.1.1 update-source Loopback2
 !
 address-family ipv4
  no synchronization
  neighbor 100.0.0.1 activate
  neighbor 100.0.0.1 send-community both
  neighbor 100.0.1.1 activate
  neighbor 100.0.1.1 send-community both
  no auto-summary
 exit-address-family
 !
 address-family vpnv4
  neighbor 100.0.0.1 activate
  neighbor 100.0.0.1 send-community both
  neighbor 100.0.1.1 activate
  neighbor 100.0.1.1 send-community both
 exit-address-family
!
!
end
Router_1#    
Router_1#show running-config partition router ospf 1
Building configuration...
Current configuration : 197 bytes
!
Configuration of Partition - router ospf 1
!
!
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 network 1.0.0.0 0.0.0.255 area 0
 network 9.0.0.0 0.0.0.255 area 0
!
!
end

PE2 Configuration

Interface details 


Router_3#show running-config interface gigabitEthernet 6/3
Building configuration...
Current configuration : 79 bytes
!
interface GigabitEthernet6/3
 ip address 9.0.0.2 255.255.255.0
 mpls ip
end
Router_3#show running-config interface gigabitEthernet 6/6
Building configuration...
Current configuration : 107 bytes
!
interface GigabitEthernet6/6
 ip vrf forwarding customer_red
 ip address 20.20.30.100 255.255.255.0
end
Router_3#show running-config interface gigabitEthernet 6/2
Building configuration...
Current configuration : 136 bytes
!
interface GigabitEthernet6/2
 ip vrf forwarding customer_green
 ip address 20.20.30.99 255.255.255.0
 speed nonegotiate
 mpls ip
end
Router_3#

OSPF and BGP details 


Router_3#show running-config partition router bgp 1
Building configuration...
Current configuration : 1061 bytes
!
Configuration of Partition - router bgp 1
!
!
!
router bgp 1
 bgp log-neighbor-changes
 neighbor 35.35.35.35 remote-as 1
 neighbor 35.35.35.35 update-source Loopback1
 neighbor 100.0.0.1 remote-as 1
 neighbor 100.0.0.1 update-source Loopback1
 !
 address-family ipv4
  no synchronization
  redistribute connected
  neighbor 35.35.35.35 activate
  neighbor 35.35.35.35 send-community both
  neighbor 100.0.0.1 activate
  neighbor 100.0.0.1 send-community both
  no auto-summary
 exit-address-family
 !
 address-family vpnv4
  neighbor 35.35.35.35 activate
  neighbor 35.35.35.35 send-community both
  neighbor 100.0.0.1 activate
  neighbor 100.0.0.1 send-community both
 exit-address-family
 !
 address-family ipv4 vrf customer_green
  redistribute static
  aggregate-address 191.0.0.0 255.0.0.0 summary-only
  no synchronization
  redistribute connected
  neighbor 20.20.30.199 remote-as 200
  neighbor 20.20.30.199 activate
 exit-address-family
 !
 address-family ipv4 vrf customer_red
  redistribute static
  aggregate-address 191.0.0.0 255.0.0.0 summary-only
  no synchronization
  redistribute connected
  neighbor 20.20.30.200 remote-as 100
  neighbor 20.20.30.200 activate
 exit-address-family
!
!
end
Router_3#show running-config partition router ospf 1
Building configuration...
Current configuration : 220 bytes
!
Configuration of Partition - router ospf 1
!
!
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 network 9.0.0.0 0.0.0.255 area 0
 network 20.20.30.0 0.0.0.255 area 0
 bfd all-interfaces
!
!
end
Router_3#

Loop Back details 


Router_3#show interfaces Loopback 1
Loopback1 is up, line protocol is up
  Hardware is Loopback
  Internet address is 100.0.1.1/24
  MTU 1514 bytes, BW 8000000 Kbit/sec, DLY 5000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation LOOPBACK, loopback not set
  Keepalive set (10 sec)
  Last input 20:14:17, output never, output hang never
  Last clearing of "show interface" counters 22:18:00
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     21 packets output, 1464 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
Router_3#show run | i Loopback
interface Loopback1
interface Loopback60
 neighbor 35.35.35.35 update-source Loopback1
 neighbor 100.0.0.1 update-source Loopback1
mpls ldp router-id Loopback1 force
Router_3#